Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this article, you learn about the connected registry feature of Azure Container Registry. A connected registry is an on-premises or remote replica that synchronizes container images with your cloud-based Azure container registry. Use a connected registry to help speed-up access to registry artifacts on-premises or remote.
The connected registry is a preview feature of the Premium container registry service tier, and subject to limitations. For information about registry service tiers and limits, see Azure Container Registry service tiers.
Important
Please note that there are Important upcoming changes to the connected registry Deployment Model Support and Billing starting from January 1st, 2025. For any inquiries or assistance with the transition, please reach out to the customer support team.
A connected registry can be deployed in any region where Azure Container Registry is available.
A cloud-based Azure container registry provides features including geo-replication, integrated security, Azure-managed storage, and integration with Azure development and deployment pipelines. At the same time, customers are extending their cloud investments to their on-premises and field solutions.
To run with the required performance and reliability in on-premises or remote environments, container workloads need container images and related artifacts to be available nearby. The connected registry provides a performant, on-premises registry solution that regularly synchronizes content with a cloud-based Azure container registry.
Scenarios for a connected registry include:
The connected registry is deployed on a server or device on-premises, or an environment that supports container workloads on-premises such as Azure IoT Edge and Azure Arc-enabled Kubernetes. The connected registry synchronizes container images and other OCI artifacts with a cloud-based Azure container registry.
The following image shows a typical deployment model for the connected registry using IoT Edge.
The following image shows a typical deployment model for the connected registry using Azure Arc-enabled Kubernetes.
Each connected registry is a resource you manage within a cloud-based Azure container registry. The top parent in the connected registry hierarchy is an Azure container registry in the Azure cloud. The connected registry can be deployed either on Azure IoT Edge or Arc-enabled Kubernetes clusters.
To install the connected registry, use Azure tools on a server or device on your premises, or in an environment that supports on-premises container workloads, such as Azure IoT Edge.
Deploy the connected registry Arc extension to the Arc-enabled Kubernetes cluster. Secure the connection with TLS using default configurations for read-only access and a continuous sync window. This setup allows the connected registry to synchronize images from the Azure container registry (ACR) to the connected registry on-premises, enabling image pulls from the connected registry.
The connected registry's activation status indicates whether it's deployed on-premises.
The connected registry regularly accesses the cloud registry to synchronize container images and OCI artifacts.
It can also be configured to synchronize a subset of the repositories from the cloud registry or to synchronize only during certain intervals to reduce traffic between the cloud and the premises.
A connected registry can work in one of two modes: ReadWrite or ReadOnly
ReadOnly mode - The default mode, when the connected registry is in ReadOnly mode, clients can only pull (read) artifacts. This configuration is used in scenarios where clients need to pull a container image to operate. This default mode aligns with our secure-by-default approach and is effective starting with CLI version 2.60.0.
ReadWrite mode - This mode allows clients to pull and push artifacts (read and write) to the connected registry. Artifacts that are pushed to the connected registry will be synchronized with the cloud registry. The ReadWrite mode is useful when a local development environment is in place. The images are pushed to the local connected registry and from there synchronized to the cloud.
Each connected registry must be connected to a parent. The top parent is the cloud registry. For hierarchical scenarios such as nested IoT Edge, you can nest connected registries in either mode. The parent connected to the cloud registry can operate in either mode.
Child registries must be compatible with their parent capabilities. Thus, both ReadOnly and ReadWrite modes of the connected registries can be children of a connected registry operating in ReadWrite mode, but only a ReadOnly mode registry can be a child of a connected registry operating in ReadOnly mode.
On-premises clients use standard tools such as the Docker CLI to push or pull content from a Connected registry. To manage client access, you create Azure container registry tokens for access to each connected registry. You can scope the client tokens for pull or push access to one or more repositories in the registry.
Each connected registry also needs to regularly communicate with its parent registry. For this purpose, the registry is issued a synchronization token (sync token) by the cloud registry. This token is used to authenticate with its parent registry for synchronization and management operations.
For more information, see Manage access to a connected registry.
minMessageTtl
is one daymaxMessageTtl
is 90 daysminSyncWindow
is 1 hrmaxSyncWindow
is seven daysIn this overview, you learned about the connected registry and some basic concepts. Continue to the one of the following articles to learn about specific scenarios where connected registry can be utilized.
Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Configure Azure Container Registry for container app deployments - Training
Learn how to create and configure an Azure Container Registry, the process of pushing container images to Azure Container Registry and explore different authentication methods and security features for Azure Container Registry.
Certification
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.
Documentation
Access Control for Connected Registries in ACR - Azure Container Registry
Learn about token-based authentication and authorization for connected registries in Azure Container Registry.
About Registries, Repositories, Images, and Artifacts - Azure Container Registry
Introduction to key concepts of Azure container registries, repositories, container images, and other artifacts.
Preview: Artifact Streaming in Azure Container Registry - Azure Container Registry
Artifact streaming is a feature in Azure Container Registry to enhance managing, scaling, and deploying artifacts through containerized platforms.